The following is lightly-edited and redacted from the Sovrin Glossary V2, which is to date the most comprehensive and adaptable across contexts. Spherity is currently collaborating with other Decentralized Identity Foundation members to edit a more cross-platform version.
A software program or process used by or acting on behalf of an entity to interact with other agents or with distributed ledgers. Agents are of two types: Edge Agents run at the edge of the network on a local device; Cloud Agents run remotely on a server or cloud hosting service (or even in "serverless" cloud architectures). Agents require access to a wallet to perform cryptographic operations on behalf of the entity they represent.
An identity owner that is responsible for control of another entity—specifically the Private Keys needed to take actions on behalf of that entity. For example, a thing controller has a controller relationship with a thing.
A digital assertion containing a set of claims made by an entity about itself or another entity. Credentials are a subset of identity data. A credential is based on a credential definition. The entity described by the claims is called the Subject of the credential. The entity creating the credential is called the Issuer. The entity holding the issued credential is called the Holder. The entity to whom a credential is presented is generally called the relying party, and specifically called the Verifier if the credential is a Verifiable Credential.
An Agent-to-Agent Protocol message type sent from an Issuer to a Holder to invite the Holder to send a Credential Request to the Issuer.
An Agent-to-Agent Protocol message type sent from a Holder to an Issuer to request the issuance of a Credential to that Holder.
A set of Interaction Patterns within an Agent-to-Agent Protocol for exchange of Credentials between Entities acting in Credential Exchange Roles.
Trust bestowed in a set of machines operating a set of cryptographic algorithms that they will behave as expected. This form of trust is based in mathematics and computer hardware/software engineering.
Decentralized Identifier (DID)
A globally unique identifier developed specifically for decentralized systems as defined by the W3C DID specification. DIDs enable interoperable decentralized Self-Sovereign Identity management. A DID is associated with exactly one DID Document.
Acronym for Decentralized Identifier.
The machine-readable document to which a DID points as defined by the W3C DID specification. A DID document describes the Public Keys, Service Endpoints, and other metadata associated with a DID. A DID Document is associated with exactly one DID.
A specification that defines a particular type of DID conforming to the W3C DID specification. A DID Method specifies both the format of the particular type of DID as well as the set of operations for creating, reading, updating, and deleting (revoking) it. DID Methods are registered with the W3C to facilitate cross-network resolution by the "Universal Resolver" and its derivatives, which facilitates protocol-level interoperability between all compliant platforms and their methods.
A software module that takes a DID as input and returns a DID document by invoking the DID Method used by that particular DID. Analogous to the function of a DNS resolver.
A role played by an Entity when it is issued a Credential by an Issuer. The Holder may or may not be the Subject of the Credential. (There are many use cases in which the Holder is not the Subject, e.g., a birth certificate where the Subject is a baby and both the mother and father may be Holders.)
Trust bestowed in a set of humans (Individuals and/or Organizations) that they will behave as expected. This form of trust is based in human social, business, and legal relationships. Compare with Cryptographic Trust.
Information that enables a specific Entity to be distinguished from all others in a specific context. Identity may apply to any type of Entity, including Individuals, Organizations, and Things. Note that Legal Identity is only one form of Identity. Many technologies can provide Identity capabilities.
The set of data associated with an Identity that permits identification of the underlying Entity. In Self-Sovereign Identity, the sharing of Identity Data is under the control of the Identity Owner.
This term refers to the subclassifications of anEntity that may be held legally accountable. Identity Owners includes Individuals and Organizations but do not include Things. The actual legal accountability of an Identity Owner for any particular action depends on many contextual factors including the laws of the applicable Jurisdiction, Guardianship, and so forth.
The act of one Entity assuming the Identity of another Entity, often for malicious purposes. Guardianship is not Impersonation because the Guardian is acting on behalf of and with the authorization of the Identity Owner, and is often legally knowable. Delegation is not Impersonation because the Delegate has a recognizable identity distinct from that of the Delegator.
The process of recovering access to and control of a set of Private Keys—or an entire Wallet—after loss or compromise. Key Recovery is a major focus of the emerging DKMS standard for cryptographic key management.
A legal Entity that is not a natural person (i.e., not an Individual). Examples of Organizations include a Group, sole proprietorship, partnership, corporation, LLC, association, NGO, cooperative, government, etc. Mutually exclusive with Individual.
A transfer of cryptographically verifiable units of value from one Entity to another Entity.
Data over which an Entity exerts access control. Private Data may be stored by an Agent in a Wallet or Vault or other secure location. Mutually exclusive with Public Data.
The half of a cryptographic key pair designed to be kept as the Private Data of an Entity. In elliptic curve cryptography, a Private Key is called a signing key.
Data over which an Entity does not exert access control—it is publicly available to be read by anyone. Mutually exclusive with Private Data.
The half of a cryptographic key pair designed to be shared with other parties in order to decrypt or verify encrypted communications from an Entity. In digital signature schemes, a Public Key is also called a verification key. A Public Key may be either Public Data or Private Data depending on the policies of the Entity.
A special Private Key used for purposes of recovering a Wallet after loss or compromise. In the DKMS key management protocol, a Recovery Key may be cryptographically sharded for secret sharing among multiple Trustees.
A software module that accepts an Identifier as input, looks up the Identifier in a database or ledger, and returns metadata describing the identified Entity. The Domain Name System (DNS) uses a DNS resolver. Self-Sovereign Identity uses a DID Resolver.
An identity system architecture based on the core principle that Identity Owners have the right to permanently control one or more Identifiers together with the usage of the associated Identity Data.
The set of Agents, Wallets, Vaults, devices, services, and other digital resources over which an Identity Owner exercises sovereignty. Note that the actual sovereignty of the Identity Owner is limited to the degree such control is protected by the Developer of the hardware or software the Identity Owner is using.
An Entity that is not an Individual or an Organization and thus cannot be held legally accountable. A Thing may be a Natural Thing or a Man-Made Thing. In Self-Sovereign Identity, a Thing is represented by an Agent that can form Connections, exchange Credentials, and communicate securely even if the Thing itself is not network-enabled. Mutually exclusive with Identity Owner.
To participate in an SSI ecosystem, every Thing must have a Thing Controller. NOTE: Not all objects are Things in the sense defined here. A Thing must be a uniquely identifiable Entity that is not fungible, i.e., not directly replaceable or exchangeable with another Thing.
A Controller that controls the Identity Data, including the Private Keys, for a Thing. Every Thing must have a Thing Controller. The Thing Controller may or may not be the legal owner of the Thing, however the Thing Controller may still be legally responsible for actions Agent(s) take on behalf of the Thing.
A term used to describe cryptographically-protected secure storage that is outside a Wallet but still accessible to and/or managed by an Agent. A Vault may (but is not required to) contain a Wallet. A Vault is often used for secure storage of digital assets too large to fit into a Wallet, or to manage identities in batches and/or by quorum. Encryption and decryption of the contents of the Vault is usually performed by an Agent using Private Keys stored in a Wallet.
A software module, and optionally an associated hardware module, for securely storing and accessing Private Keys, Link Secrets, other sensitive cryptographic key material, and other Private Data used by an Entity. A Wallet is accessed by an Agent.